If you are reading this, you already know what GDPR is and why it is so important that your organisation is compliant. Like most working on compliance in their organisation, I have attended various GDPR events. Clearly, there is huge interest in this subject and it is interesting to see the various ways in which the topic of GDPR can be used to encourage attendees to events – even when there is a tenuous link at best.
At the most recent of one of these events that I attended, the audience was asked how prepared they were for GDPR – from no idea, through to validating a plan. The overwhelming response was ‘I know I need to do something, but I don’t know how’. From the perspective of someone going through GDPR compliance in a 10,000 employee global organisation, I wanted to share my experience of what has worked for me so far.
Step One: Build Awareness and Budget
It is a simple step, but so important. Your GDPR compliance project is going nowhere if you do not have the senior support and budget to sponsor it. For me, the compelling message to my board was the financial impact of the new penalties under the regulation. It is a tough message to deliver without scaremongering, but 4% of global turnover is sure to capture executive attention. I have found that it is useful to play through some of the more recent data breaches, such as Three, Tesco Bank and Sage and highlight what the fine could have been with GDPR in place. It is important to temper this message and explain that the financial penalty is up to 4% of global turnover or €20 million (whichever is greater), however an organisation could also see a 2% fine or a data processing prohibition order – any of these could be crippling to a business. Executives are starting to understand that it is not possible to eliminate all cyber security risks and they need to play an active part in protecting their organisation.
With this base level of awareness in place, I then identified those members of senior management that were advocates and invited them to an independent external legal briefing on GDPR. This helped me to make sure they heard a trusted second opinion and helped to bring to life the complexity of now having to consider IP addresses, usernames and meta-data as personally identifying information.
By doing this, you will build a small, albeit powerful community of change agents. Complement them by finding those in parts of the business that already understand their data protection responsibilities. Those that work in HR, Payroll and Pensions are usually good places to look. With this slightly larger community, you can build a taskforce who will have the mandate and understanding to actually deliver compliance. This mix of shareholders in different parts of the business is important because you will need to reiterate that GDPR compliance is not an IT or Legal issue in isolation.
Finally, become or hire a GDPR expert. As discussed early, you will not find a true GDPR expert due to the contemporary nature of the regulation. Individuals with a data protection or privacy background are most likely to be skilled in this area.
Step Two – Data Mapping and Gap Analysis
Before you can protect it, you will need to understand where the personally identifying information is within your business. Depending on how structured this data is within your business and how much budget you have, you may be able to do this using data discovery tooling. In my case, I opted to undertake data discovery workshops around the business. Even if you can use data discovery tools, I would still recommend a more traditional approach. Using a whiteboard, map out the high-level business processes and data flows, and capture any data security concerns. The objective of these workshops is to map the business processes and data flows around the business using the local knowledge of the people that operate these processes. This approach has two important benefits; firstly, the people that operate these processes are most likely to know the intricacies of the various data flows and human elements far better than any tool. Finally, those that know the process are best placed to identify and own compliance improvement activities. This is important because, like any significant change activity, you cannot do sustainable GDPR compliance to people.
In my business, I started these workshops in the parts of the business with the most sensitive data. Even with these early workshops, quick wins were identified, including cost savings with the removal of duplicate data. From here, you will have the momentum to move around the rest of the business and do the same in all areas – it is a big piece of work but it is essential. The output of these workshops will then give you high-level compliance status for the business and the detail to build a plan for improvement.
Step Three – Policy Review and New Rights
Alongside the data mapping process you will need to review the policy statements you have in place for data protection. Many of these you will already have in order to comply with the Data Protection Act, but they will need to be refreshed to cater for the new rights that data subjects will have under GDPR; such as right to be forgotten and data portability. These policy statements also act as the internal authority for employees and data owners to be aware of their responsibilities.
The new rights under GDPR are probably the most contentious part of the regulation. For subject access requests, you have 10 less days to service the request than you did under the DPA. That is just a simple example, but will require process improvement to prevent non-compliance situations. Taking the more complex new requirements, such as the right to be forgotten, a root and branch redesign of business processes involving personal data will be required.
Step Four – Review and Improve
As complex as GDPR is, it is really nothing new. We’ve had data protection legislation for nearly 20 years and now is the right time to be reviewing how this works in an increasingly connected world in which we have ‘big data’ possibilities to balance with the demands of privacy aware citizens.
In my view, the difference is that there is an expectation that data protection efforts become more effective within organisations. Whilst we have had data protection legislation for nearly two decades, the volume and impact of the now nearly countless data breaches proves that organisations aren’t really taking those responsibilities as seriously as they should. No-one wants to be the first organisation to suffer a data breach when GDPR comes into force, but it will be the true test of its asserted strength and only then will we see how the regulator wants to play their role going forward.
This means there must be a focus on sustainment when you are in a position that your organisation is compliant. There are many ways to test this, but the key has to be culture. Driving meaningful cultural change within an organisation is one of the hardest tasks to achieve but it all starts somewhere. I hope that this article helps you start that journey.